ACL Byte Counters

An ACL byte counter associated with a particular rule, either dynamic or static, shows how many bytes of traffic have matched that ACL rule. You can use ACL byte counters as an alternative to packet counters on the platforms listed for this feature in the Feature License Requirements document.

A new ACL action token has been added to associate a byte counter with an ACL, and a new corresponding token for a packet counter.

Following are the two new tokens:

byte-count byte counter name

packet-count packet counter name

An ACL rule specifying both packet and byte counter is rejected.

Below is an example of an ACL rule that uses a byte counter:
entry CountBytes {
	if {
		ethernet-source-address 00:aa:00:00:00:10;
	} then {
		byte-count CountBytes;
		permit;
	}
}
Below are two examples of ACL rules that use packet counters. The "packet-count" token is a synonym of the existing "count" token.
entry CountPacket1 {
	if {
		ethernet-source-address 00:aa:00:00:00:10;
	} then {
		count CountPacket1;
		permit;
	}
}
 
entry CountPacket2 {
	if {
		ethernet-source-address 00:aa:00:00:00:10;
	} then {
		packet-count CountPacket2;
		permit;
	}
}

The output of the show access-list counter and show access-list dynamic counter commands has been changed to include a new "Byte Count" column in addition to the "Packet Count" column. When a rule utilizes a byte counter, the "Byte Count" field is incremented and the "Packet Count" field stays at zero. If a rule utilizes a packet counter, the "Packet Count" field is incremented and the "Byte Count" field stays at zero.

Note

Note

Byte counters and packet counters cannot be used at the same time in the same rule.